feat(fsp): add intial mount rules on systemd.

apparmor.d/groups/_full/systemd

@@ -52,12 +52,35 @@ profile systemd flags=(attach_disconnected,mediate_deleted) {
   network inet6 raw,
   network inet6 stream,
   network netlink raw,
-  network packet dgram,
-  network packet raw,
 
-  # TODO: WIP
+  mount -> @{run}/systemd/incoming/,
-  mount,
+  mount -> @{run}/systemd/mount-rootfs/{,**},
-  umount,
+  mount -> @{sys}/fs/fuse/connections/,
+  mount -> @{sys}/kernel/config/,
+  mount -> @{sys}/kernel/debug/,
+  mount -> @{sys}/kernel/tracing/,
+  mount -> /,
+  mount -> /dev/, 
+  mount -> /dev/hugepages/,
+  mount -> /dev/mqueue/,
+  mount -> /efi/, 
+  mount -> /tmp/,
+  mount @{run}/systemd/namespace-@{rand6}/ -> @{run}/systemd/mount-rootfs/proc/, 
+  mount @{run}/systemd/namespace-@{rand6}/dev/ -> @{run}/systemd/mount-rootfs/dev/,
+  mount /dev/*/ -> @{run}/systemd/namespace-@{rand6}/dev/*/, 
+  mount /dev/ptmx -> @{run}/systemd/namespace-@{rand6}/dev/ptmx,
+  mount /dev/tty -> @{run}/systemd/namespace-@{rand6}/dev/tty,
+  mount /tmp/systemd-private-*/tmp/ -> @{run}/systemd/mount-rootfs/tmp/,
+  mount fstype=proc proc -> @{run}/systemd/namespace-@{rand6}/,
+  mount fstype=sysfs sysfs -> @{run}/systemd/namespace-@{rand6}/,
+  mount fstype=tmpfs tmpfs -> @{run}/systemd/namespace-@{rand6}/dev/,
+  mount fstype=tmpfs tmpfs -> /dev/shm/,
+
+  umount /,
+  umount /dev/shm/,
+  umount @{run}/systemd/mount-rootfs/{,**},
+  umount @{run}/systemd/namespace-@{rand6}/{,**},
+  umount @{run}/systemd/unit-root/{,**},
 
   pivot_root oldroot=@{run}/systemd/mount-rootfs/ @{run}/systemd/mount-rootfs/,
   pivot_root oldroot=@{run}/systemd/unit-root/ @{run}/systemd/unit-root/,